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DETAILED ACTION 
Continued Examination Under 37 CFR 1.114 

1 . A request for continued examination under 37 CFR 1.114, including the fee set 
forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this 
application is eligible for continued examination under 37 CFR 1.114, and the fee set 
forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action 
has been withdrawn pursuant to 37 CFR 1.1 14. Applicant's submission filed on 
December 1 , 2006 has been entered. 

2. Claims 7-12 are cancelled. Claim 20 is added. 

3. Claims 1-6, 13-20 are currently being considered. 

Response to Arguments 

4. Applicant's arguments filed December 1 , 2006 have been fully considered but 
they are not persuasive for the following reasons: 

Regarding amended claim 1 , the Applicant argues that the Cited Prior Art (CPA), 
Moran (U.S. Patent 6,647,400), does not disclose at least routing an event to a template 
where the template comprises a sequence of connected logic nodes. This argument is 
not found persuasive. It is asserted that the CPA does disclose a template that 
comprises a sequence of connected logic nodes. As stated in the previous Office 
Action, there are different types of intrusions, which are checked in the CPA including 
SetUID buffer overflows, file name changes, and SetUID commands. Each separate 
check, is interpreted as a template. The CPA further disclose sensors which collect 
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information and pass it to the event database (input node) (column 8 lines 12-20), then 
the collected information is evaluated (filtering node) (column 8 lines 32-34), and finally 
an alert is either issued or the event is dropped (output node) (column 8 lines 32-35). 
Therefore, it is asserted that these comprise a sequence of connected logic nodes. 
Furthermore, in regards to amended claim 1 , the Applicant argues that the CPA does 
not disclose determining a filename based on the event and outputting the event for 
each event indicating modification of a critical file based upon the determined filename. 
This argument is not found persuasive. The CPA discloses that its intrusion detection 
system checks changes to system files and directories (column 1 1 lines 15-27), 
including checking for known patterns in filenames, which are known parts of attacks 
(column 1 1 lines 29-32). The particular system files, which are being checked for 
modification, are interpreted as the event. Furthermore, each particular system file 
(event) has an associated file signature that is associated with the particular system 
filename (column 31 lines 31-35). The CPA discloses a system for checking the 
signatures of a computer's system files to check for changes (column 31 lines 36-55), 
and outputting an alert if the file name has changed (column 32 lines 48-60). Therefore, 
it is asserted that the CPA does disclose the limitations of amended claim 1 , and the 
rejection for these claims is given below. 

Claim Rejections - 35 USC § 102 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
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only if the international application designated the United States and was published under Article 21 (2) 
of such treaty in the English language. 

5. Claims 1-20 are rejected under 35 U.S.C. 102(e) as being anticipated by Moran 
(U.S. Patent No. 6,647,400). 

6 Regarding claim 1, Moran discloses: 

reading an event representing at least one system call (column 7 line 65 - 
column 8 line 23, column 13 lines 26-42); 

routing the event to a template, the event comprising multiple parameters and the 
template comprising a sequence of connected logic nodes comprising at least one input 
node, at least on filter node, and at least one output node (column 7 line 65 - column 8 
line 23, column 8 lines 12-35, column 14 lines 13-31); 

filtering the event, based on the sequence of logic nodes of the template, as a 
possible intrusion based on the multiple parameters and either dropping the event or 
outputting the event, the filtering comprising: (column 8 lines 33-35, column 11 lines 15- 
65, column 32 lines 48-59): 

determining a filename based on the event (column 11 lines 29-32, column 31 
lines 31-35); 

outputting the event for each event indicating modification of a critical file based 
upon the determined filename (column 32 lines 48-60); and 

creating an intrusion alert for each event output from said filtering (column 8 lines 
33-35, column 1 1 lines 1 5-65, column 32 lines 48-60). 
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7. With respect to claim 14, Moran discloses a system for detecting critical file 
changes, comprising: 

a processor (column 5 lines 26-42); 

a memory storing instructions which, when executed by the processor, cause the 
processor to: 

route events to a template (column 7 line 65 - column 8 line 23, column 14 lines 
13-31); 

wherein the event comprises one or more parameters (column 1 1 lines 15-65, 
column 32 lines 48-59); and 

the template comprises a sequence of connected logic nodes comprising at least 
one input node, at least one filter node, and at least one output node (column 7 line 65 - 
column 8 line 23, column 8 lines 12-35, column 14 lines 13-31); 

filter the event as either a possible intrusion based on one of the one or more 
parameters and either dropping the event or outputting the event (column 8 lines 33-35, 
column 11 lines 15-65, column 32 lines 48-59); and 

create an intrusion alert if an event is output from the filter (column 8 lines 33-35, 
column 11 lines 15-65, column 32 lines 48-59). 

8. With respect to claims 2 and 15, Moran discloses a method, wherein said filtering 
further comprises providing the event to the determining a file name for each event 
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comprising a parameter indicating modification of a permission bit on a file or directory 
(column 9 lines 33-47). 

9. With respect to claims 3 and 16, Moran discloses a method, wherein said filtering 
further comprises providing the event to the determining a filename for each event 
comprising a parameter indicating opening a file for truncation (column 11 lines 15-48, 
column 31 lines 31-56). 

10. With respect to claims 4 and 17 Moran discloses a method, wherein said filtering 
comprises providing the event to the determining a filename for each event comprising 
a parameter indicating modification of the ownership or group ownership of a file 
(column 9 lines 33-47, column 31 lines 30-57). 

v 

1 1 . With respect to claims 5 and 18, Moran discloses a method, further comprising 
outputting an alert message for each renamed file including the filename of the file and 
the new filename of the renamed file (column 9 lines 33-47, column 30 lines 7-13). 

12. With respect to claim 6 and 19, Moran discloses a method, comprising 
configuring a template based on a list of files and directories to be included or excluded 
based on whether the files and directories are considered unmodifiable (column 32 lines 
60-67). 
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13. With respect to claim 13, Moran discloses a computer-readable medium storing 
instructions which, when executed by a processor, cause the processor to implement 
the method steps of claim 1 (column 5 lines 26-42, column 7 line 65 - column 8 line 23, 
column 11 lines 15-65, column 13 lines 26-42, column 32 lines 48-59). 

14. With respect to claim 20, Moran discloses a system, wherein the instructions 
causing the processor to filter the event comprise instructions causing the processor to 
determine a filename based on the event and output the event for each event indicating 
modification of a critical file based upon the determined filename column 8 lines 33-35, 
column 11 lines 15-65, column 32 lines 48-60). 

Conclusion 

Any. inquiry concerning this communication or earlier communications from the 
examiner should be directed to Kaveh Abrishamkar whose telephone number is 571- 
272-3786. The examiner can normally be reached on Monday thru Friday 8-5. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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